Introduction

Building a high-performance mail delivery system is one thing;
building one that does not knock over other systems is a different
story. Some mailers suffer from the thundering herd syndrome:
they literally flood other systems with mail. Postfix tries to be
a fast mailer and a good neighbor at the same time.

On the inbound side, the Postfix SMTP
server has defenses in place against malicious or confused
clients. They won't protect against an all-out denial of service
attack on your infrastructure, but then nothing will except pulling
the plug.

Unless indicated otherwise, all parameters described here are in
the main.cf file. If you change parameters of a running
Postfix system, don't forget to issue a postfix reload
command.

The default_destination_concurrency_limit parameter
(default: 20) controls how many messages may be sent to the same
destination simultaneously. You can override this setting for
specific delivery channels (local, smtp, uucp etc.). The
main.cf file recommends the following:

local_destination_concurrency_limit = 2

default_destination_concurrency_limit = 20

The local_destination_concurrency_limit parameter controls
how many messages are delivered simultaneously to the same local
recipient. The recommended limit is low because delivery to the
same mailbox must happen sequentially, so massive parallelism is
not useful. Another good reason to limit delivery concurrency to
the same recipient: if the recipient has an expensive shell command
in her .forward file, or if the recipient is a mailing list
manager, you don't want to run too many instances at the same time.

A destination concurrency limit of 20 for SMTP delivery seems enough
to noticeably load a system without bringing it to its knees. Be
careful when changing this to a much larger number.

The Postfix SMTP server increments a
per-session error counter whenever a client request is unrecognized
or unimplemented, or whenever a client request violates UCE restrictions or other reasons. The error
counter is reset when a message is transferred successfully.

As the per-session error count increases, the SMTP server changes
behavior. The idea is to limit the damage by slowing down the
client. The behavior is controlled by the following parameters:

Unfortunately, the Postfix SMTP server does not yet know how to
limit the number of connections from the same client,
other than by limiting the total number of SMTP server processes
(see process limit). Things could be worse:
some mailers don't even implement an SMTP server process limit.
That's of course no excuse. I'm still looking for a good solution.